Via WMWare console the netscaler is responsive and when issueing command “Show Interface” netscaler responds by listing al it’s network interfaces. I thing I noticed that the interface of the NSIP was shutdown because of administrative reasons (cannot recall the exact message). When enabling this Interface with command: enable interface 0/1 everything seemed to be working again until you try one of earlier mentioned actions.

If you experience this, there is a good change that the VMWare server on which the Netscaler VPX is running was upgraded with patches from VMware ESXi 5.5.0 U2 both VMWware and Citrix Have released KB documents about this issue:

Create file /flash/boot/loader.conf.local (if not present) with same permissions as/flash/boot/loader.conf. Add the following line and reboot:hw.em.txd=512Note: To create the file, use command touch loader.conf.local.

vi Commands

The following are the vi commands to edit the document:

From NetScaler shell type:vi <filename>

Move the cursor to the last character of text in the file, type “a” and click Enter.

Type the line:hw.em.txd=512

Press the ESC key and then “:” key. The cursor will move to the bottom of the page, then type wq!.

After this procedure reboot the netscaler and all should be working fine again.

During my current project I had to build a Netscaler cluster for Access Gateway functionality. After initially configuring the Access Gateway vServer I noticed that user account that are marked for “Change Password on next Logon” could not authenticate not via Access Gateway Logon Page nor Via Dell Wyse ThinClient that are configured for StoreFront access (via Netscaler Access Gateway). Password Change direct via StoreFront 2.6 was working flawlessly. After some googling I managed to get this working I followed these steps to succesfully configure “Allow Password Change” via Netscaler.

4. Enable Secure LDAP on domain controllers

After we created the RootCA account we need to enable secure LDAP om the domain controllers. For this to work we need to create a CSR on the Domain Controllers. To do this you need to login on (all) your domain controller(s) and create a CSR. Copy the contents of this file to notepad and name the file request.inf. Save the file to c:\windows\temp

5. Sign Domain Controller certificate.

Now Sign this CSR with the RootCA certificate created earlier via Create Certificate

Enter Certificate File name = /nsconfig/ssl/servername.cer

Certificate Format = PEM

Certificate Type = SERVER

CSR File = /nsconfig/ssl/servername.csr

Key Format = PEM

Validity Period = 365 (max 3650)

Key Filename = /nsconfig/ssl/RootCA.key

CA Certificate File Name = /nsconfig/ssl/RootCA.cer

CA Certificate File format = PEM

CA Key File Name = /nsconfig/ssl/RootCA.key

CA Key File Format = PEM

PEM Passphrase = RootCA PEM Password

CA Serial File Number = /nsconfig/ssl/servername.serial

6. Export RootCA as PFX

On Netscaler SSL Administration page click Export PKCS#12

PKCS12 File Name = /nsconfig/ssl/RootCA.pfx

Certificate File Name = /nsconfig/ssl/RootCA.cer

Key Filename = /nsconfig/ssl/RootCA.key

Export Password = thisisanewpassword

PEM Passphrase = RootCA PEM Password

7. Import RootCA Certificate on Domain Controllers

Download the PFX file to C:\windows\temp on your domain controller and import it to the Trusted Root part of the Machine Certificate Store. When importing select “mark this key as exportable” repeat this step on all your Domain Controllers.

8. Import Server Certificate

Download the servername.cer file from the Netscaler to the domaincontroller c:\windows\temp, open command-prompt with elevated rights and issue command(s)

cd \windows\temp
certreq -accept servername.cer

Test your secure ldap with ldp.exe, select connect and enter the servername on which you just imported the certificates. Use port 636, and check the SSL option.

9. Configure Authentication Server object on Netscaler

Login to Netscaler Administration Console.

Browse to NetScaler > System > Authentication > LDAP and in the right pane click Servers and then Add.

Enter required information make sure to use these settings to enable secure LDAP connections:

Yesterday a lot of attention was created about the latest OpenSSL vulnerability (CVE-2014-0160). This vulnerability exposes a lot of SSL implementations to a great risk because OpenSSL is a very popular SSL implementation and used in a great range of Unix/Linux based application and appliances.

Being very busy with Citrix Netscaler lately I immediately recognized the great potential risk of this vulnerability because Netscaler Firmware also uses this OpenSSL implementation. So I investigated this risk based on my own up-to-date netscaler firmware (124.13) to find out if this firmware version and possible older versions are vulnerable to this CVE-2014-0160 (Heartbleed) bug.

1st test I did was browsing to a site that checks your site for this specific vulnerability http://filippo.io/Heartbleed the result of the test was not very conclusive “write tcp xxx.xxx.xxx.xxx:443: broken pipe”

After this check I wondered which versions of OpenSSL are affected by this vulnerability according to OpenSSL.org own site the vulnerability exists in versions: 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1

So my immediately I logged in to Netscaler’s SSH console and entered the following commands:

So i’m very glad to see that the latest version of Netscaler’s firmware 124.13 does not contain this vulnerability. However I’m shocked by the ancient version of OpenSSL (release date 25 Oct 2004!!!!) that is used by this latest Netscaler firmware. There is a whole list of vulnerabilities that have been repaired since.

Update 1 09-042014 : Citrix’s security team seams to confirm that Netscaler is not at risk. A public statement has not yet been released.

Update 2 09-042014 : Citrix now officially announces Citrix Netscaler/Access Gateway/StoreFront products are NOT vulnerable to CVE-2014-0160 the Citrix support document can be found here

When I was drawing an architectual document in visio, I needed some stencils after a quick search on google I found some and bundled them for my convinience hopefully you like them as well. [download id=”2″]